SlideShare a Scribd company logo
HTTP Protocol & Streams
Security and Introduction
Protocol
HTTP(S) – 80/443
The HTTP Protocol
• Standard for transferring documents on the
World Wide Web (RFC 2616 – 1.1)
• TCP/IP based communications protocol
• The protocol is –
– connectionless
– media-independent
– stateless
– mostly all text
Sample HTTP exchange
• Browser = client, Web server = server
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
HTTP Request
HTTP/1.1 200 OK
Date: Thu, 14 Jul 2005 20:27:45 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
Etag: "3f80f-1b6-3e1cb03b"
Accept-Ranges: bytes Content-Length: 438
Connection: close
Content-Type: text/html; charset=UTF-8
HTTP ResponseClient
Server
HTTP Request and Response
• Methods – GET, POST, HEAD
• New Methods in HTTP 1.1
• Header fields: Server, Host, Length, etc.
• Response codes – 200, 404, 500, etc.
HTTP Methods - Common
• The GET method
• The HEAD method
• The POST method
The GET Method
• retrieves entity identified by the Request-URI
• can be used to submit form data
– URL-encodes form data and appends to Request-
URI
• query length is limited
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
The POST method
• sends data block with request to server
• extra headers describe message body
• query length can be unlimited
POST http://example.com/cgi-bin/search.cgi HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0;
rv:1.7.3) Gecko/20040913 Firefox/0.10
Accept: text/xml, application/xml, application/xhtml+xml,
text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5
Keep-Alive: 300
Referer: http://example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
search=searchtext
Analyzing HTTP traffic
• Security assessment needs sound knowledge
of HTTP analysis
• Tools and mind needed to analyze the traffic
• What to look for? – methods, cookie,
querysting etc.
• All part of HTTP – Response analysis is equally
important.
Other methods in HTTP/1.1
• Trace
– echoes back the received request
• used with Via: and Max-Forwards for debugging
• Put
– uploads a representation of specified resource
• Delete
– deletes the specified resource
• Options (Extensibility hook)
– returns HTTP methods supported by the server
HTTP Streams
Ajax
Ajax model
Transport layer
Browser
server-side systems
user interface
web server
Data stores,
backend processing,
legacy systems
HTTP request
HTML + CSS data
Browser
server-side systems
Ajax engine
web and/or XMLserver
Data stores,
backend processing,
legacy systems
HTTP request
XML Data
user interface
Classic web application model Ajax-enabled web application model
JavaScript call
HTML + CSS data
Ajax introduction
DOM
• Dynamic HTML
• Browser loads Document Object Model
• DOM can be manipulated by scripts in the
browser
• Components
– History
– Location
– Forms etc….
XHR object
• No Sockets in browser
• XHR – XMLHttpRequest Object provides
socket to browser.
• It has event model and async communication
setup
• XML easy data structures to access and
consume in browser
• JavaScript make a call and access it from
server through XHR
XHR - Ajax
function getajax()
{
var http;
if(window.XMLHttpRequest){
http = new XMLHttpRequest();
}else if (window.ActiveXObject){
http=new ActiveXObject("Msxml2.XMLHTTP");
if (! http){
http=new ActiveXObject("Microsoft.XMLHTTP");
}
}
http.open("GET", "./ajax.txt", true);
http.onreadystatechange = function()
{
if (http.readyState == 4) {
response = http.responseText;
document.getElementById('main').innerHTML = response;
}
}
http.send(null);
}
RIA
RIA
• Rich Internet Application can be created using
Flash technologies
• Various technologies through which
application can be created
• Supports various libraries
• Can make a call to Web Services or XML-RPC
calls etc.
Example
Silverlight
• Microsoft came up with similar framework
and player like flash
• It helps in building RIA
• It runs on .NET framework
• Easy to build applications and works across
platforms
• It may catch up down the line – still in very
early stage
Web 2.0 Data
Data structures
• Ajax is using various data streams
• Developers are innovating this field
• JavaScript can talk with back end sources
• Mashups application can be leveraged
• It is important to understand these streams
• It has significant security impact
JSON
• JSON (JavaScript Object Notation) - a
lightweight data-interchange format
• Based on JavaScript Programming Language
(Standard ECMA-262)
• Completely language independent
• C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many
others.
• Interchangeable is the Key.
JSON
• Example
{ "firstName": "John", "lastName": "Smith",
"address": { "streetAddress": "21 2nd Street",
"city": "New York", "state": "NY", "postalCode":
10021 }, "phoneNumbers": [ "212 732-1234", "646
123-4567" ] }
XML
• XML stream can be accessed by Ajax call
• It can be Web Services
• XML parsing done at browser end
• XHR object supports XML response handling
• XML nodes are extracted and injected in the
DOM
• XML is becoming popular with Web 2.0
applications
Script as data
• Developers are using script as data between
server and clients
• Information sent to the browser as variable
set
• These script get executed on the browser.
• This is another way of updating DOM context
• DOM manipulation needs eval()
Array serialization
• Array is another native JavaScript object
• It is possible to serialize this object over
application
• Browser extract the array from the server
• Inject information to the DOM
• DOM updates the browser
• Array is popular and easy to exchange
JS-Object serialization
• JS object are possible to serialize
• This way entire object can be sent to the
browser
• Object can contain both data and methods
• This is much easier for browser to process
• It just inject object to the DOM
• Once it is in the DOM it is easier to update the
browser content
Conclusion

More Related Content

What's hot

Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01
Maisha Price
 
Webservice for android ppt
Webservice for android pptWebservice for android ppt
Webservice for android ppt
santosh lamba
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
Maurice De Beijer [MVP]
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
Mario Cardinal
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
Prateek Tandon
 
Things I wish web graduates knew
Things I wish web graduates knewThings I wish web graduates knew
Things I wish web graduates knew
Lorna Mitchell
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
Gökhan Şengün
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB API
Thang Chung
 
Designing a RESTful web service
Designing a RESTful web serviceDesigning a RESTful web service
Designing a RESTful web service
Filip Blondeel
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
Eoin Keary
 
Server-Side Programming Primer
Server-Side Programming PrimerServer-Side Programming Primer
Server-Side Programming Primer
Ivano Malavolta
 
Intoduction to php web services and json
Intoduction to php  web services and jsonIntoduction to php  web services and json
Intoduction to php web services and json
baabtra.com - No. 1 supplier of quality freshers
 
Restful web services ppt
Restful web services pptRestful web services ppt
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
Lorna Mitchell
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
Sanjeev Verma, PhD
 
Soap and restful webservice
Soap and restful webserviceSoap and restful webservice
Soap and restful webservice
Dong Ngoc
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web Services
Christopher Bartling
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the web
kriszyp
 
SOAP-based Web Services
SOAP-based Web ServicesSOAP-based Web Services
SOAP-based Web Services
Katrien Verbert
 

What's hot (20)

Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01
 
Webservice for android ppt
Webservice for android pptWebservice for android ppt
Webservice for android ppt
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
Things I wish web graduates knew
Things I wish web graduates knewThings I wish web graduates knew
Things I wish web graduates knew
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB API
 
Designing a RESTful web service
Designing a RESTful web serviceDesigning a RESTful web service
Designing a RESTful web service
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 
Server-Side Programming Primer
Server-Side Programming PrimerServer-Side Programming Primer
Server-Side Programming Primer
 
Intoduction to php web services and json
Intoduction to php  web services and jsonIntoduction to php  web services and json
Intoduction to php web services and json
 
Restful web services ppt
Restful web services pptRestful web services ppt
Restful web services ppt
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
 
Soap and restful webservice
Soap and restful webserviceSoap and restful webservice
Soap and restful webservice
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web Services
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the web
 
SOAP-based Web Services
SOAP-based Web ServicesSOAP-based Web Services
SOAP-based Web Services
 

Similar to HTTP protocol and Streams Security

Networks
NetworksNetworks
Networks
Edward Blurock
 
Collector Web Services
Collector Web ServicesCollector Web Services
Collector Web Services
publisyst
 
WEB TECHNOLOGY Unit-5.pptx
WEB TECHNOLOGY Unit-5.pptxWEB TECHNOLOGY Unit-5.pptx
WEB TECHNOLOGY Unit-5.pptx
karthiksmart21
 
Ntg web services
Ntg   web servicesNtg   web services
Ntg web services
Farag Zakaria
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
6 app-tcp
6 app-tcp6 app-tcp
API Testing. Streamline your testing process.
API Testing. Streamline your testing process.API Testing. Streamline your testing process.
API Testing. Streamline your testing process.
Andrey Oleynik
 
Mike Taulty DevDays 2010 Silverlight 4 Networking
Mike Taulty DevDays 2010 Silverlight 4 NetworkingMike Taulty DevDays 2010 Silverlight 4 Networking
Mike Taulty DevDays 2010 Silverlight 4 Networking
ukdpe
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
Sam Bowne
 
Consuming RESTful Web services in PHP
Consuming RESTful Web services in PHPConsuming RESTful Web services in PHP
Consuming RESTful Web services in PHP
Zoran Jeremic
 
Consuming RESTful services in PHP
Consuming RESTful services in PHPConsuming RESTful services in PHP
Consuming RESTful services in PHP
Zoran Jeremic
 
Synapseindia dot net development web applications with ajax
Synapseindia dot net development  web applications with ajaxSynapseindia dot net development  web applications with ajax
Synapseindia dot net development web applications with ajax
Synapseindiappsdevelopment
 
Intro to Web Standards
Intro to Web StandardsIntro to Web Standards
Intro to Web Standards
Jussi Pohjolainen
 
Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016
Jack Zheng
 
cross document messaging, html 5
cross document messaging, html 5cross document messaging, html 5
cross document messaging, html 5
Kristoffer Snabb
 
Module 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxModule 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptx
AASTHAJAJOO
 
Introduction to Web Services and the cocnept
Introduction to Web Services and the cocneptIntroduction to Web Services and the cocnept
Introduction to Web Services and the cocnept
PaceInfotech
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
Chamnap Chhorn
 
.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7
Karel Zikmund
 
Web services
Web servicesWeb services
Web services
Hans Granqvist
 

Similar to HTTP protocol and Streams Security (20)

Networks
NetworksNetworks
Networks
 
Collector Web Services
Collector Web ServicesCollector Web Services
Collector Web Services
 
WEB TECHNOLOGY Unit-5.pptx
WEB TECHNOLOGY Unit-5.pptxWEB TECHNOLOGY Unit-5.pptx
WEB TECHNOLOGY Unit-5.pptx
 
Ntg web services
Ntg   web servicesNtg   web services
Ntg web services
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
 
API Testing. Streamline your testing process.
API Testing. Streamline your testing process.API Testing. Streamline your testing process.
API Testing. Streamline your testing process.
 
Mike Taulty DevDays 2010 Silverlight 4 Networking
Mike Taulty DevDays 2010 Silverlight 4 NetworkingMike Taulty DevDays 2010 Silverlight 4 Networking
Mike Taulty DevDays 2010 Silverlight 4 Networking
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
Consuming RESTful Web services in PHP
Consuming RESTful Web services in PHPConsuming RESTful Web services in PHP
Consuming RESTful Web services in PHP
 
Consuming RESTful services in PHP
Consuming RESTful services in PHPConsuming RESTful services in PHP
Consuming RESTful services in PHP
 
Synapseindia dot net development web applications with ajax
Synapseindia dot net development  web applications with ajaxSynapseindia dot net development  web applications with ajax
Synapseindia dot net development web applications with ajax
 
Intro to Web Standards
Intro to Web StandardsIntro to Web Standards
Intro to Web Standards
 
Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016Web Landscape - updated in Jan 2016
Web Landscape - updated in Jan 2016
 
cross document messaging, html 5
cross document messaging, html 5cross document messaging, html 5
cross document messaging, html 5
 
Module 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxModule 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptx
 
Introduction to Web Services and the cocnept
Introduction to Web Services and the cocneptIntroduction to Web Services and the cocnept
Introduction to Web Services and the cocnept
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
 
.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7
 
Web services
Web servicesWeb services
Web services
 

More from Blueinfy Solutions

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
Blueinfy Solutions
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
Blueinfy Solutions
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
Blueinfy Solutions
 
Android attacks
Android attacksAndroid attacks
Android attacks
Blueinfy Solutions
 
Automation In Android & iOS Application Review
Automation In Android & iOS 	Application Review�Automation In Android & iOS 	Application Review�
Automation In Android & iOS Application Review
Blueinfy Solutions
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
Blueinfy Solutions
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
Blueinfy Solutions
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
Blueinfy Solutions
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
 

More from Blueinfy Solutions (18)

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
Automation In Android & iOS Application Review
Automation In Android & iOS 	Application Review�Automation In Android & iOS 	Application Review�
Automation In Android & iOS Application Review
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 

Recently uploaded

Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
Michael Price
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
FIDO Alliance
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
isBullShit
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 

Recently uploaded (20)

Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 

HTTP protocol and Streams Security

  • 1. HTTP Protocol & Streams Security and Introduction
  • 3. The HTTP Protocol • Standard for transferring documents on the World Wide Web (RFC 2616 – 1.1) • TCP/IP based communications protocol • The protocol is – – connectionless – media-independent – stateless – mostly all text
  • 4. Sample HTTP exchange • Browser = client, Web server = server GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 HTTP Request HTTP/1.1 200 OK Date: Thu, 14 Jul 2005 20:27:45 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8 HTTP ResponseClient Server
  • 5. HTTP Request and Response • Methods – GET, POST, HEAD • New Methods in HTTP 1.1 • Header fields: Server, Host, Length, etc. • Response codes – 200, 404, 500, etc.
  • 6. HTTP Methods - Common • The GET method • The HEAD method • The POST method
  • 7. The GET Method • retrieves entity identified by the Request-URI • can be used to submit form data – URL-encodes form data and appends to Request- URI • query length is limited GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0
  • 8. The POST method • sends data block with request to server • extra headers describe message body • query length can be unlimited POST http://example.com/cgi-bin/search.cgi HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10 Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5 Keep-Alive: 300 Referer: http://example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 17 search=searchtext
  • 9. Analyzing HTTP traffic • Security assessment needs sound knowledge of HTTP analysis • Tools and mind needed to analyze the traffic • What to look for? – methods, cookie, querysting etc. • All part of HTTP – Response analysis is equally important.
  • 10. Other methods in HTTP/1.1 • Trace – echoes back the received request • used with Via: and Max-Forwards for debugging • Put – uploads a representation of specified resource • Delete – deletes the specified resource • Options (Extensibility hook) – returns HTTP methods supported by the server
  • 12. Ajax
  • 13. Ajax model Transport layer Browser server-side systems user interface web server Data stores, backend processing, legacy systems HTTP request HTML + CSS data Browser server-side systems Ajax engine web and/or XMLserver Data stores, backend processing, legacy systems HTTP request XML Data user interface Classic web application model Ajax-enabled web application model JavaScript call HTML + CSS data
  • 15. DOM • Dynamic HTML • Browser loads Document Object Model • DOM can be manipulated by scripts in the browser • Components – History – Location – Forms etc….
  • 16. XHR object • No Sockets in browser • XHR – XMLHttpRequest Object provides socket to browser. • It has event model and async communication setup • XML easy data structures to access and consume in browser • JavaScript make a call and access it from server through XHR
  • 17. XHR - Ajax function getajax() { var http; if(window.XMLHttpRequest){ http = new XMLHttpRequest(); }else if (window.ActiveXObject){ http=new ActiveXObject("Msxml2.XMLHTTP"); if (! http){ http=new ActiveXObject("Microsoft.XMLHTTP"); } } http.open("GET", "./ajax.txt", true); http.onreadystatechange = function() { if (http.readyState == 4) { response = http.responseText; document.getElementById('main').innerHTML = response; } } http.send(null); }
  • 18. RIA
  • 19. RIA • Rich Internet Application can be created using Flash technologies • Various technologies through which application can be created • Supports various libraries • Can make a call to Web Services or XML-RPC calls etc.
  • 21. Silverlight • Microsoft came up with similar framework and player like flash • It helps in building RIA • It runs on .NET framework • Easy to build applications and works across platforms • It may catch up down the line – still in very early stage
  • 23. Data structures • Ajax is using various data streams • Developers are innovating this field • JavaScript can talk with back end sources • Mashups application can be leveraged • It is important to understand these streams • It has significant security impact
  • 24. JSON • JSON (JavaScript Object Notation) - a lightweight data-interchange format • Based on JavaScript Programming Language (Standard ECMA-262) • Completely language independent • C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. • Interchangeable is the Key.
  • 25. JSON • Example { "firstName": "John", "lastName": "Smith", "address": { "streetAddress": "21 2nd Street", "city": "New York", "state": "NY", "postalCode": 10021 }, "phoneNumbers": [ "212 732-1234", "646 123-4567" ] }
  • 26. XML • XML stream can be accessed by Ajax call • It can be Web Services • XML parsing done at browser end • XHR object supports XML response handling • XML nodes are extracted and injected in the DOM • XML is becoming popular with Web 2.0 applications
  • 27. Script as data • Developers are using script as data between server and clients • Information sent to the browser as variable set • These script get executed on the browser. • This is another way of updating DOM context • DOM manipulation needs eval()
  • 28. Array serialization • Array is another native JavaScript object • It is possible to serialize this object over application • Browser extract the array from the server • Inject information to the DOM • DOM updates the browser • Array is popular and easy to exchange
  • 29. JS-Object serialization • JS object are possible to serialize • This way entire object can be sent to the browser • Object can contain both data and methods • This is much easier for browser to process • It just inject object to the DOM • Once it is in the DOM it is easier to update the browser content